From fc2ea8f76b6939e1bff4883767e65b37b5a6e55a Mon Sep 17 00:00:00 2001 From: root Date: Sat, 9 May 2020 00:19:38 -0400 Subject: [PATCH] up2date --- common/files/{vimrc.jinja => vimrc} | 3 ++- common/map.jinja | 2 -- common/vimrc.sls | 14 +++++++++--- gitea/install.sls | 1 + icinga2/files/icingaweb2.jinja | 25 +++++++++++++++++++-- icinga2/init.sls | 5 ++++- nginx/init.sls | 12 +++++++--- nginx/map.jinja | 6 +++++ restic/server.sls | 7 ++++++ salt/files/master.jinja | 2 +- salt/files/minion.jinja | 3 ++- samba/files/smb.conf.jinja | 34 +++++++++++++++++++++++++++++ samba/files/wsdd.service | 22 +++++++++++++++++++ samba/init.sls | 29 ++++++++++++++++++++++++ samba/wsdd.sls | 23 +++++++++++++++++++ ssh/files/authorized_keys.jinja | 4 ++-- ssh/files/bashrc.jinja | 2 ++ ssh/init.sls | 4 ++-- top.sls | 2 ++ 19 files changed, 182 insertions(+), 18 deletions(-) rename common/files/{vimrc.jinja => vimrc} (98%) create mode 100644 nginx/map.jinja create mode 100644 restic/server.sls create mode 100644 samba/files/smb.conf.jinja create mode 100644 samba/files/wsdd.service create mode 100644 samba/init.sls create mode 100644 samba/wsdd.sls diff --git a/common/files/vimrc.jinja b/common/files/vimrc similarity index 98% rename from common/files/vimrc.jinja rename to common/files/vimrc index cd9ba8b..457faf4 100644 --- a/common/files/vimrc.jinja +++ b/common/files/vimrc @@ -1,7 +1,6 @@ if v:lang =~ "utf8$" || v:lang =~ "UTF-8$" set fileencodings=ucs-bom,utf-8,latin1 endif - set nocompatible " Use Vim defaults (much better!) set bs=indent,eol,start " allow backspacing over everything in insert mode set ai " always set autoindenting on @@ -69,3 +68,5 @@ set smarttab " always uses spaces instead of tab characters set expandtab +" disable visual on click +set mouse= diff --git a/common/map.jinja b/common/map.jinja index 4ac7396..9ae436c 100644 --- a/common/map.jinja +++ b/common/map.jinja @@ -4,13 +4,11 @@ 'packages': [ 'vim' ], - 'vimrc': '/etc/vim/vimrc' }, 'RedHat': { 'packages': [ 'vim-enhanced' ], - 'vimrc': '/etc/vimrc' }, }) %} diff --git a/common/vimrc.sls b/common/vimrc.sls index eee6f96..a766848 100644 --- a/common/vimrc.sls +++ b/common/vimrc.sls @@ -1,10 +1,18 @@ {% from "common/map.jinja" import common with context %} -{{ common['vimrc'] }}: +/root/.vimrc: file.managed: - - source: 'salt://common/files/vimrc.jinja' - - template: jinja + - source: 'salt://common/files/vimrc' - user: root - group: root - mode: 644 +{% for user in salt.pillar.get('users', []) %} +/home/{{user}}/.vimrc: + file.managed: + - source: 'salt://common/files/vimrc' + - user: {{user}} + - group: {{user}} + - mode: 644 + +{% endfor %} diff --git a/gitea/install.sls b/gitea/install.sls index 132bc56..df3e5c8 100644 --- a/gitea/install.sls +++ b/gitea/install.sls @@ -4,6 +4,7 @@ %} {% set basepath = salt.pillar.get('gitea:path') %} +# FIXME: this could be file.managed with source_hash set 'download gitea': cmd.run: - name: 'wget {{ url }} -O {{ basepath }}/bin/gitea && chmod +x {{ basepath }}/bin/gitea && echo {{ ver }} > {{ basepath }}/VERSION' diff --git a/icinga2/files/icingaweb2.jinja b/icinga2/files/icingaweb2.jinja index 7f0ab57..a9be2ad 100644 --- a/icinga2/files/icingaweb2.jinja +++ b/icinga2/files/icingaweb2.jinja @@ -6,7 +6,7 @@ rewrite ^/$ http://icinga.keiran.us/icingaweb2 permanent; location ~ ^/icingaweb2/index\.php(.*)$ { # fastcgi_pass 127.0.0.1:9000; - fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; + fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php; @@ -23,11 +23,32 @@ rewrite ^/$ http://icinga.keiran.us/icingaweb2 permanent; location ~ ^/ccfc/$ { auth_basic "Login"; auth_basic_user_file /var/www/htpasswd_ccfc; - fastcgi_pass unix://var/run/php/php7.0-fpm.sock; + fastcgi_pass unix://var/run/php/php7.3-fpm.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME /var/www/ccfc/index.php; fastcgi_param REMOTE_USER $remote_user; } + + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/icinga.keiran.us/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/icinga.keiran.us/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + } +server { + if ($host = icinga.keiran.us) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + +server_name icinga.keiran.us; + listen 80; + return 404; # managed by Certbot + + +} \ No newline at end of file diff --git a/icinga2/init.sls b/icinga2/init.sls index 93b9dd5..ece989d 100644 --- a/icinga2/init.sls +++ b/icinga2/init.sls @@ -4,6 +4,9 @@ icinga_packages: - pkgs: - icinga2 - icingaweb2 + - icinga2-ido-mysql + - certbot + - python-certbot-nginx apache2: service.dead: @@ -15,7 +18,7 @@ apache2: icingaweb2_vhost: file.managed: - - name: /etc/nginx/sites-enabled/icingaweb2 + - name: /etc/nginx/sites-available/icingaweb2 - source: 'salt://icinga2/files/icingaweb2.jinja' - template: jinja - user: root diff --git a/nginx/init.sls b/nginx/init.sls index 15e461b..7b045b4 100644 --- a/nginx/init.sls +++ b/nginx/init.sls @@ -7,13 +7,15 @@ nginx: - reload: True {% if salt.pillar.get('use_php', True) %} +{% from "nginx/map.jinja" import php_ver with context %} {% set timezone = salt.timezone.get_zone() %} php-fpm: pkg.installed: [] +{% if php_ver is not none %} service.running: - - name: php7.0-fpm + - name: php{{php_ver}}-fpm - enable: True - watch: - file: php_cgi.fixpathinfo=1 @@ -21,19 +23,23 @@ php-fpm: php_cgi.fixpathinfo=1: file.uncomment: - - name: /etc/php/7.0/fpm/php.ini + - name: /etc/php/{{php_ver}}/fpm/php.ini - char: ; - regex: cgi\.fix\_pathinfo\=1 php_date.timezone={{ timezone }}: file.replace: - - name: /etc/php/7.0/fpm/php.ini + - name: /etc/php/{{php_ver}}/fpm/php.ini - append_if_not_found: True - pattern: \;date\.timezone.* - repl: date.timezone = {{ timezone }} +{% else %} +{% do salt.log.error('Could not determine php_ver; might need to re-run state') %} +{% endif %} {% endif %} + /var/www/html/index.html: file.managed: - user: root diff --git a/nginx/map.jinja b/nginx/map.jinja new file mode 100644 index 0000000..3fd5358 --- /dev/null +++ b/nginx/map.jinja @@ -0,0 +1,6 @@ +{% set php_fpm_raw = salt['pkg.version']('php-fpm') %} +{% if php_fpm_raw|length > 0 %} +{% set php_ver = php_fpm_raw.split('+')[0].split(':')[1] %} +{% else %} +{% set php_ver = None %} +{% endif %} diff --git a/restic/server.sls b/restic/server.sls new file mode 100644 index 0000000..616c5cd --- /dev/null +++ b/restic/server.sls @@ -0,0 +1,7 @@ + +restic-vps: + user.present: + - home: /mnt/bak1/restic-vps + - uid: 1002 + - gid: 1002 + diff --git a/salt/files/master.jinja b/salt/files/master.jinja index 458f276..586f086 100644 --- a/salt/files/master.jinja +++ b/salt/files/master.jinja @@ -3,4 +3,4 @@ minion_data_cache: True state_output: changes top_file_merging_strategy: same pillar_merge_lists: True -log_level: warning +log_level: error diff --git a/salt/files/minion.jinja b/salt/files/minion.jinja index 7904ea8..1cc78db 100644 --- a/salt/files/minion.jinja +++ b/salt/files/minion.jinja @@ -1,5 +1,6 @@ master: kpi.keiran.us pillar_raise_on_missing: True state_output: changes -log_level: warning +log_level: error +grains_cache: True mysql.default_file: '/root/.my.cnf' diff --git a/samba/files/smb.conf.jinja b/samba/files/smb.conf.jinja new file mode 100644 index 0000000..167df90 --- /dev/null +++ b/samba/files/smb.conf.jinja @@ -0,0 +1,34 @@ +# +# Managed by Salt +# +# run testparm -s after making changes to validate them + +[global] + workgroup = WORKGROUP + log file = /var/log/samba/log.%m + max log size = 1000 + logging = file + panic action = /usr/share/samba/panic-action %d + server role = standalone server + obey pam restrictions = yes + unix password sync = no + map to guest = bad user + usershare max shares = 0 + +{% if salt.pillar.get('samba:enable_homes', false) %} +[homes] + comment = Home Directories + browseable = no + read only = yes + create mask = 0700 + directory mask = 0700 + valid users = %S +{% endif %} + +{% for name, path in salt.pillar.get('samba:shares', {}).items() %} +[{{ name }}] + path = {{ path }} + valid users = @sambashare + read only = yes +{% endfor %} + diff --git a/samba/files/wsdd.service b/samba/files/wsdd.service new file mode 100644 index 0000000..3ecca31 --- /dev/null +++ b/samba/files/wsdd.service @@ -0,0 +1,22 @@ +[Unit] +Description=Web Services Dynamic Discovery host daemon +; Start after the network has been configured +After=network-online.target +Wants=network-online.target +; It makes sense to have Samba running when wsdd starts, but is not required +;Wants=smb.service + +[Service] +Type=simple +ExecStart=/usr/bin/wsdd --shortlog +; Replace those with an unprivledged user/group that matches your environment, +; like nobody/nogroup or daemon:daemon or a dedicated user for wsdd +User=nobody +; The following lines can be used for a chroot execution of wsdd. +; Also append '--chroot /run/wsdd/chroot' to ExecStart to enable chrooting +;AmbientCapabilities=CAP_SYS_CHROOT +;ExecStartPre=/usr/bin/install -d -o nobody -g nobody -m 0700 /run/wsdd/chroot +;ExecStopPost=rmdir /run/wsdd/chroot + +[Install] +WantedBy=multi-user.target diff --git a/samba/init.sls b/samba/init.sls new file mode 100644 index 0000000..f39efaf --- /dev/null +++ b/samba/init.sls @@ -0,0 +1,29 @@ +samba_packages: + pkg.installed: + - pkgs: + - samba + - samba-common-bin + +smbd: + service.running: + - enable: True + - watch: + - file: /etc/samba/smb.conf + - pkg: samba_packages + +/etc/samba/smb.conf: + file.managed: + - source: 'salt://samba/files/smb.conf.jinja' + - template: jinja + +{# generate these with print(hashlib.new('md4', "password".encode('utf-16le')).hexdigest()) #} +{% for user, passw in salt.pillar.get('samba:users', {}).items() %} +samba_{{user}}: + pdbedit.managed: + - name: {{user}} + - password: {{passw}} + - password_hashed: True +{% endfor %} + +include: + - samba.wsdd diff --git a/samba/wsdd.sls b/samba/wsdd.sls new file mode 100644 index 0000000..88be3c3 --- /dev/null +++ b/samba/wsdd.sls @@ -0,0 +1,23 @@ + +wsdd: + file.managed: + - name: /lib/systemd/system/wsdd.service + - source: salt://samba/files/wsdd.service + service.running: + - enable: True + - watch: + - file: wsdd + - file: wsdd.py + +service.systemctl_reload: + module.run: + - onchanges: + - file: /lib/systemd/system/wsdd.service + +wsdd.py: + file.managed: + - name: /usr/bin/wsdd + - mode: 755 + - source: https://raw.githubusercontent.com/christgau/wsdd/d1c0d3e31768646326a15d9eaef28ec9a3180023/src/wsdd.py + - source_hash: 2b7bd278e38d85c1742aba5d95bd9d81 + diff --git a/ssh/files/authorized_keys.jinja b/ssh/files/authorized_keys.jinja index 2f35fe1..9506fcc 100644 --- a/ssh/files/authorized_keys.jinja +++ b/ssh/files/authorized_keys.jinja @@ -1,6 +1,6 @@ # Managed by Salt -{% set comments = pillar['authorized_keys'].keys()|sort -%} +{% set comments = pillar['global_authorized_keys'].keys()|sort -%} {% for comment in comments -%} -{% set keydata = pillar['authorized_keys'][comment] -%} +{% set keydata = pillar['global_authorized_keys'][comment] -%} {{keydata}} {{comment}} {% endfor -%} diff --git a/ssh/files/bashrc.jinja b/ssh/files/bashrc.jinja index a8394b1..fb4ff37 100644 --- a/ssh/files/bashrc.jinja +++ b/ssh/files/bashrc.jinja @@ -73,5 +73,7 @@ if [ $(id -u) -gt 0 ]; then alias fab='sudo fab' fi +alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo' + # https://git.keiran.us/config-mgmt/puppet/raw/commit/09158fc579f5ee2c00f395971d8c986e3ec08788/modules/keir/files/bash/bashrc diff --git a/ssh/init.sls b/ssh/init.sls index e4c0222..16bc7dd 100644 --- a/ssh/init.sls +++ b/ssh/init.sls @@ -33,7 +33,7 @@ - require: - file: /root/.ssh -{% for user in salt.pillar.get('authkey_users', []) | union(salt.pillar.get('ssh_config_users', [])) %} +{% for user in salt.pillar.get('users', []) | union(salt.pillar.get('ssh_config_users', [])) %} /home/{{user}}/.ssh: file.directory: @@ -57,7 +57,7 @@ {% endfor %} -{% for user in salt.pillar.get('authkey_users', []) %} +{% for user in salt.pillar.get('users', []) %} /home/{{user}}/.ssh/authorized_keys: file.managed: diff --git a/top.sls b/top.sls index 440de78..fc09dff 100644 --- a/top.sls +++ b/top.sls @@ -9,3 +9,5 @@ - salt.master - icinga2 - nginx + - restic.server + - samba